Hi Pavel,
Thus wrote Pavel Skripkin (paskripkin@xxxxxxxxx):
> It's a bit unrelated to the patch, but I found it while reviewing this. It's
> in the same function rtl8188e_PHY_RF6052SetCckTxPower():
> 89: u32 TxAGC[2] = {0, 0};
> ...
> 92 u8 *ptr;
> ...
> 129 for (idx1 = RF_PATH_A; idx1 <= RF_PATH_B; idx1++) {
> 130 ptr = (u8 *)(&TxAGC[idx1]);
> 131 for (idx2 = 0; idx2 < 4; idx2++) {
> 132 if (*ptr > RF6052_MAX_TX_PWR)
> 133 *ptr = RF6052_MAX_TX_PWR;
> 134 ptr++;
> 135 }
> 136 }
> What is going on here? Code just checks and writes to random place on stack
> outside TxAGC array? I might be missing something, but it looks wrong...
TxAGC is two 32-bit values, i.e. 2 x 4 Bytes. The outer loop selects a
32-bit array entry, the inner loop iterates over each byte of this entry
and checks that it is <= RF6052_MAX_TX_PWR. I don't think this writes past
the end of the TxAGC[] array.
The rtlwifi driver contains a similar check in
rtl92ce_phy_rf6052_set_cck_txpower().
Best regards,
Martin
